Build: Fix an XSS in the test server HTML serving logic #2309

mgol · 2024-10-25T22:36:16Z

The test server has a rule for /tests/unit/*/*.html paths that serves a proper local file. However, the parameters after /unit/ were so far not escaped, leading to possibly reading a file from outside of the Git repository. Fix that by replacing non-alphanumeric characters that are also not - or _.

This should resolve one CodeQL alert.

The test server has a rule for `/tests/unit/*/*.html` paths that serves a proper local file. However, the parameters after `/unit/` were so far not escaped, leading to possibly reading a file from outside of the Git repository. Fix that by replacing non-alphanumeric characters that are also not `-` or `_`. This should resolve one CodeQL alert.

mgol · 2024-10-25T22:44:32Z

tests/runner/createTestServer.js

 		const html = await readFile(
-			`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
+			`tests/unit/${ moduleEscaped }/${ moduleEscaped }.html`,


Funny, considering this is exactly the issue I'm fixing in this PR...

mgol added Comp: Build Needs review labels Oct 25, 2024

mgol added this to the 1.14.1 milestone Oct 25, 2024

mgol requested a review from timmywil October 25, 2024 22:36

mgol self-assigned this Oct 25, 2024

mgol force-pushed the codeql-createTestServer branch from fba692e to 84164d6 Compare October 25, 2024 22:37

github-advanced-security bot found potential problems Oct 25, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build: Fix an XSS in the test server HTML serving logic #2309

Build: Fix an XSS in the test server HTML serving logic #2309

mgol commented Oct 25, 2024

mgol Oct 25, 2024

Build: Fix an XSS in the test server HTML serving logic #2309

Are you sure you want to change the base?

Build: Fix an XSS in the test server HTML serving logic #2309

Conversation

mgol commented Oct 25, 2024

mgol Oct 25, 2024

Choose a reason for hiding this comment